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DISTRIBUTED AUTHENTICATION FRAMEWORK STACK 
Field of the Invention 

[0001] This invention relates to computer-based communication systems and more 
5 particularly to methods and systems for providing authentication to end user 
applications. 

Background 

[0002] The rapid advance in computer-based communications systems, such as the 
10 public Internet and private Intranet, has meant that more and more data is being 
transmitted via this medium. For much of this data, including financial and health 
records security is extremely important. As a result, considerable development has 
gone into creating security mechanisms. Concomitant with these developments is 
the effort by hackers and other system attackers to find ways to break the security 
15 mechanisms. One way to reduce attacks is to ensure that users of the system, 
whether to receive data or to send data, are who they say they are. This has 
resulted in a range of authentication services being built for network users. 

[0003] Authentication systems are typically incorporated into computer based 
20 communication systems to verify a user's right to access network resources. In a 
basic application when a user logs into the computer system an authentication 
process is initiated to verify the identity of the user. A common login process 
involves the entry of a password. The computer system compares the password 
with a stored list and, if the entered code matches the stored list, access is 
25 authorized. Conversely, if there is no match authentication is denied. 

[0004] Basic password systems, although sufficient for low security related 
applications, do not provide the level of security needed for more sensitive 
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transmissions. The password may be stolen or may be replicated using a trial and 
error or dictionary approach. 

[0005] Other authentication services such as biometric schemes i.e. iris scanning, 
5 use multiple factors to authenticate users as when using smart cards. 

[0006] In a distributed system in which there are multiple servers and multiple 
authentication schemes it has been difficult to create a system which meets all the 
needs. For example, various applications may be nmning on different network 

10 elements and network management platforms wherein there is a need to provide 
identification and subsequently authentication of end user operators in order to 
perform access control to the network infrastructure. One solution consists of 
delegating the authentication to a third party entity so that the "a-priori'' untrusted 
operator cannot fake the authentication process. In other cases the authentication 

15 policy is implemented on a per-application basis so that the operator needs to 
authenticate against different authentication mechanisms. This typically means 
that the mechanism used to achieve user authentication must rely on distributed 
devices that cannot be accessed directly using classical on the wire protocols. 

20 [0007] An example of a prior art authentication systems is discussed in a Sim White 
paper entitled "Making Log In Services Independent of Authentication 
Technologies'' by Samar and Lie. This paper describes a system wherein the 
authentication policy is enforced on the machine hosting the user to be 
authenticated. The solution makes use of a pluggable authentication module 

25 (PAM) to switch from one authentication backend to another. Using this 

mechanism the overall authentication process takes place locally at the user's work 
station. Since it does not make use of a trusted third party entity this solution does 
not fit in a general use case where the host is not trusted. 
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[0008] A second prior art solution is described in a technical white paper dated 
March 2003 entitled "Sun One Identity Server Overview". This solution makes use 
of a dedicated authentication server which allows a dedicated application server to 
handle incoming authenticated requests. The server maintains a trusted 
5 relationship with the user. 

[0009] A similar system is described in U.S. Patent 6,510,236 which relates to an 
authentication framework for managing authentication results from multiple 
authentication devices. For each type of authentication device a device 
10 authentication server verifies that the data is acceptable. 

[0010] These solutions generally solve the security issues inherent in the first prior 
art solution. However the solutions are not sufficiently flexible to handle a wide 
range of authentication schemes that could potentially be distributed across 
15 various elements of the network. In addition, these mechanisms and in particular 
that taught in the first prior art may be subject to tampering by an attacker. 

Summary of the Invention 

[0011] Accordingly, there is a need for a dedicated authentication server that 
20 performs the authentication of a end user. The server should be able to act 

transparently from the client's perspective to provide authentication services for a 
distributed system. The present invention provides this through the use of an 
authentication stack which has entries that trigger local or remote specific 
authentication actions to provide respective results which, when consolidated 
25 determine an authentication status of the end user client. Preferably, the 

authentication is created based on an authentication domain ID specified by the 
end user client. 
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[0012] Therefore, in accordance with a first aspect of the present invention there is 
provided a method of authenticating an end-user client in a computer-based 
communication system comprising the steps of: sending, by the end-user client, an 
authentication domain identifier to an authentication server; creating, by the 
5 authentication server and depending on the authentication domain identifier, an 
authentication stack comprising one or more stack entries; rendering, for each stack 
entry and depending thereon, an authentication service to produce an 
authentication result for that entry; and consolidating authentication results to 
obtain an authentication status for the end-user client. 

10 

Brief Description of the Drawing s 

[0013] The invention will now be described in greater detail with reference to the 
attached drawings wherein: 

15 [0014] Figure 1 illustrates the basic components of the authentication framework 
according to the present invention; 

[0015] Figure 2 is a flow diagram of the overall authentication process; 
20 [0016] Figure 3 illustrates the invention in a per distributed application basis; and 
[0017] Figure 4 illustrates a deployment use-case of the authentication stacks. 

Detailed Description of the Invention 

25 [0018] Figure 1 shows the basic components of the authentication framework 
according to the present invention. Using the framework an end user is able to 
authenticate through a stacking mechanism. As shown in Figure 1 a client on log 
in sends a message such as an authentication domain ID to an authentication 
server. A server builds an authentication model stack configuration which 
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provides a profile of the client based on the authentication domain ID. Through 
the authentication stack the authentication server is able to seek authentication 
through either remote authentication modules or local authentication modules. 
Each time a user triggers the authentication service the server creates a new 
5 authentication stack. Each element in the stack refers either to a local or to a 
remote module. Some of the entries of the stack may have been configured such 
that they are unable to render an actual authentication service but in fact trigger an 
authentication component that is remotely deployed. The processing of this 
remote component will create the actual authentication context necessary to handle 

10 the user authentication process on a specific authentication device. The 

authentication devices may be one of various biometrics schemes or it may be a 
cryptographic hardware service or appliance or it could be a smart card, USB token 
etc. The main authentication process that sits on the authentication server 
consolidates the results that it gets back from all of the virtual stack entities. It 

15 combines the consolidated results with the stack entries bound to the local 

authentication modules in order to reconstitute the entire authentication stack. 

[0019] Figure 2 is a flow diagram that sets out the overall authentication process 
flow. 

20 

[0020] First the client to be authenticated sends to the authentication server a so 
called authentication domain ID that could be, for example, an application service 
identifier. The authentication server builds the authentication stack according to 
. the configuration defined by the specific ID. Hence, a direct mapping must be 
25 explicitly defined on the authentication ser\^er to map an application ID with a list 
of software modules. An example of the configuration could be: 

-Application! 

RADIUSmodule 
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OSmodule 
-Application2 

SMARTCARDmodule 
OSmodule 
5 KERBEROSmodule 

[0021] At initiation of the authentication process each entry in the authentication 
stack is processed. If the entry is mapped to a local authentication module the 
authentication process is performed locally. Otherwise the authentication server 

10 triggers a remote authentication module which retrieves authentication data from 
its local authentication device. Once all the stack entries have been processed the 
authentication server consolidates the results. If the authentication is successful a 
unique session identifier characterising the authentication session is sent back to 
the client. Otherwise, the client is notified by the authentication server that the 

15 authentication process is failed. 

[0022] Figure 3 illustrates that by using the authentication stack module it is 
possible to reach different modules located on different applications running on 
different levels of the management network depending on the specific application. 

20 Thus, the solution provided by the present invention is easily deployed on a per 
distributed application basis. The solution leverages authentication 
synchronization capabilities into distributed environments where various software 
components using different authentication techniques need to share a common 
user authentication session. Thus the authentication requirements could be 

25 different depending if it is an alarm manager or more specific to the element 
management. 

[0023] As shown in Figure 3 the client operator connects to the network 
management system which runs the authentication server. The authentication 
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server triggers the authentication module that sits on the client and this could be 
OS, USB-tokens, smartcards etc. It then triggers the Element Management System 
(EMS) authentication module which may be running for example on an element 
management system. Then it would trigger authentication modules that are 
5 rimning on the network element relaying the request to a remote authentication 
server such as radius. 

[0024] Figure 4 exemplifies a deployment use case of the authentication stack in the 
course of an authentication process. In this case the client authentication involves 

10 different steps. A dedicated authentication module that sits on the client handles 
the operating system based authentication and retrieves OS credentials of the 
current logged in user. A server component handles directly the RADIUS based 
authentication and a smartcard authentication module handles authentication 
requests on the client side. The authentication module retrieves user credentials 

15 thanks to its direct access to the local smartcard reader appliance. An LDAP 
(lightweight directory access protocol) module that sits on a specific network 
element handles the authentication requests and access to the LDAP backend is 
performed through a dedicated LDAP module. 

20 [0025] The solution provided by the present invention provides a flexible manner 
of aggregating various kinds of authentication mechanisms relying on different 
network nodes into a centralized authentication stack. In addition to greater 
flexibility the compartmentalised nature of the solution makes the initial 
configuration and subsequent maintenance of authentication modules easier than 

25 the prior art approaches. Furthermore, the versatility of such a framework allows 
reconfiguration of authentication modules in a seamless way from an end user 
standpoint. The versatility of this framework is inherent to the distributed 
authentication stack entries. Hence a security administrator is able to deploy 
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remote authentication indifferently through the network premises and into the core 
telecom infrastructure as well. 

[0026] The solution requires the establishment of a secure channel between the 
5 client and the authentication server. Depending on the mechanism used this can 
introduce the requirement to provide extra resources both by the client and by the 
authentication server which may delay somewhat the overall authentication 
process. 

10 [0027] Although specific embodiments of the invention have been illustrated and 
described it will be apparent to one skilled in the art that numerous changes can be 
made without departing from the basic concept. It is to be understood, however, 
that such changes will fall within the full scope of the invention as defined by the 
appended claims. 



